Hardware Reference
In-Depth Information
We will construct a booby trap hooked into the Raspbian login system. There will be
two versions of the trigger mechanism:
• A special login name of your choice is used as a trigger word. As soon as you
try to log in as this user, directly on the console with a keyboard or remotely
over SSH, the encrypted
pi
home directory is wiped clean and recreated.
• A certain number of failed login attempts as the
pi
user will be used as a
trigger signal to wipe the encrypted home directory and recreate it.
The beauty of having both versions is that the special login name can be triggered by
you from a distance and the failed login attempt could be triggered by a foe trying to
gain access to the Pi.
1.
The Raspbian login system uses
Pluggable Authentication Module
(
PAM
)
to authenticate users. That's where we need to put our hook for the booby
trap. Open up the common authentication configuration file for editing with
the following command:
pi@raspberrypi ~ $ sudo nano /etc/pam.d/common-auth
2.
Find the line that contains
success=1
and change it to
success=2
.
This directive specifies how many rules to skip if the user login is successful.
We change it to
2
because we're going to add a new rule next.
3.
Create a new line under the one we just changed and put the following:
auth optional pam_exec.so /home/slatfatf.sh
This rule means that when a user login fails, a script that we'll write, called
/
home/slatfatf.sh
, will be run. You're free to name the script whatever you
want and place it in any location (except the
pi
home directory).
4. Now create another new line at the bottom of the file and put the following:
auth optional pam_exec.so /bin/rm -f /home/slatfatf.count
